Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-13858

SAML2 Identity Provider - Support for login_hint and username

    Details

    • Type: Feature Request
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Rejected
    • Affects Version/s: 9.0.3
    • Fix Version/s: None
    • Component/s: Protocol - SAML
    • Labels:
      None
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Motivation

      When working with SAML IDPs, it is currently not possible to use provider-specific features such as `login_hint` forwarding. The purpose here is to be able to automatically prefill an IDP login form with a given username.

      For instance, this feature is supported by ADFS: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-oapx/a8622e66-2285-43c0-bbb9-abfcecdaed86

      Here is the use case scenario we have to solve: https://groups.google.com/forum/#!topic/keycloak-user/hbTf_OyhFCA

      Limitations

      • Considering `login_hint` is not part of the SAML protocol, this feature should not be used with incompatibles IDPs (e.g. a SAML client provider on Keycloak).
      • By default, Keycloak's login form is not designed to include a login_hint in the destination url of SAML Social buttons. This must be made in a dedicated url builder and/or in a custom login template.

      Solution

      • This PR takes a query parameter named `login_hint` into account and forward it in the destination url of your SAML Identity provider.
      • This parameter is sanitized and is added to the destination url as two query parameters named `login_hint` and `username`. When no login_hint is provided, nothing is forwarded.
      • This does not require any change in the identity provider configuration, except enabling a "Pass login_hint" toggle, which is `false`by default.

      Pull requests

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                looorent Lorent Lempereur
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: